Georgia Department of Community Health services possibly hacked by Russian cybercriminals
ATLANTA - Some who use services provided by the Georgia Department of Community Health are being alerted about a possible data breach believed to be orchestrated by a Russian cyber-extortion gang's global hack of a file-transfer program.
Maximus Health Services, Inc., which is contracted by the GDCH, reported a breach dating back to the end of May.
In a "HIPAA Notice" obtained by FOX 5 News on Tuesday, Maximus disclosed that the incident "involved certain individuals,' including certain minor dependents,' personal information." However, it did not release how many people are believed to be impacted.
The notice disclosed that Maximus "detected unusual activity" on May 30 and took steps to severe vendor software by the next day.
"The incident involved a critical vulnerability in MOVEit Transfer, a third-party software application provided by Progress Software Corporation (Progress)," the notice states. "Maximus is among the many organizations in the United States and globally that have been impacted by the MOVEit vulnerability."
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint statement in June addressing the vulnerability. The Department of Education also warned schools across the country which use the software.
The same exploit is believed to have impacted University System of Georgia.
"Maximus takes this very seriously and is providing this notice to help individuals understand what happened, what Maximus is doing, and steps individuals can take to protect their information," the statement continues.
An investigation determined between May 27 and May 31, "unauthorized party obtained copies of certain files that were saved in the Maximus MOVEit application." A system audit report on Aug. 20 states the stolen "files contained some individuals’ personal information."
Some of that data may include case numbers, and the Head of Household's (HOH) name, date of birth, Social Security Number, address, email address, phone number and Client ID.
"As good practice, it is recommended that individuals regularly monitor account statements and monitor free credit reports. If individuals identify suspicious activity, individuals should contact the company that maintains the account on their behalf," the statement reads.
Maximus is offering two years of complimentary access to Experian IdentityWorks to those impacted.
Those who believe they have been impacted by the data breach and would like ddditional information should contact Maximus at 833-919-4749 toll‐free Monday through Friday from 9 a.m. to 11 p.m., and Saturday and Sunday from 11 a.m. to 8 p.m., excluding major U.S. holidays.
Maximus says it is notifying individuals by letter with an "engagement number" in dealing with questions about the breach.